Events from same host to same destination using same method
=========================================================================
# of from to method
=========================================================================
2 192.168.15.106 204.15.193.132 (portscan) TCP Portsweep

Percentage and number of events from a host to a destination
============================================================
% # of from to
============================================================
100.00 2 192.168.15.106 204.15.193.132

Percentage and number of events from one host to any with same method
==============================================================
% # of from method
==============================================================
100.00 2 192.168.15.106 (portscan) TCP Portsweep

Percentage and number of events to one certain host
=================================================================
% # of to method
=================================================================
100.00 2 204.15.193.132 (portscan) TCP Portsweep

Keep in mind snort is not a firewall, and only alerts you when stuff is happening. It will not block it...for blocking I'd suggest something like APF...I use that on some of my linux boxes in various DC's.

October 21st, 2006, 09:03 PM

bAgZ

It's just a port scan i would not worry about it. As long as your box is updated an patched you should be fine.

October 22nd, 2006, 03:46 PM

thehorse13

Crap sloshing up against your perimeter is common. There is no evidence of anything other than an alert that one was done against you from a host in Asia. I'd worry if I saw the activity stop. LOL.